b" FEDERAL INFORMATION SECURITY\n    MANAGEMENT ACT REPORT\n\n\nFiscal Year 2006 Evaluation of the Social Security\n      Administration's Compliance with the\n Federal Information Security Management Act\n\n\n\n\n            September 2006       A-14-06-16084\n\n\n        Patrick P. O\xe2\x80\x99Carroll, Jr. \xe2\x80\x93 Inspector General\n\x0c                                    Mission\nBy conducting independent and objective audits, evaluations and investigations,\nwe inspire public confidence in the integrity and security of SSA\xe2\x80\x99s programs and\noperations and protect them against fraud, waste and abuse. We provide timely,\nuseful and reliable information and advice to Administration officials, Congress\nand the public.\n\n                                   Authority\nThe Inspector General Act created independent audit and investigative units,\ncalled the Office of Inspector General (OIG). The mission of the OIG, as spelled\nout in the Act, is to:\n\n  \xc2\x81 Conduct and supervise independent and objective audits and\n    investigations relating to agency programs and operations.\n  \xc2\x81 Promote economy, effectiveness, and efficiency within the agency.\n  \xc2\x81 Prevent and detect fraud, waste, and abuse in agency programs and\n    operations.\n  \xc2\x81 Review and make recommendations regarding existing and proposed\n    legislation and regulations relating to agency programs and operations.\n  \xc2\x81 Keep the agency head and the Congress fully and currently informed of\n    problems in agency programs and operations.\n\n  To ensure objectivity, the IG Act empowers the IG with:\n\n  \xc2\x81 Independence to determine what reviews to perform.\n  \xc2\x81 Access to all information necessary for the reviews.\n  \xc2\x81 Authority to publish findings and recommendations based on the reviews.\n\n                                     Vision\nWe strive for continual improvement in SSA\xe2\x80\x99s programs, operations and\nmanagement by proactively seeking new ways to prevent and deter fraud, waste\nand abuse. We commit to integrity and excellence by supporting an environment\nthat provides a valuable public service while encouraging employee development\nand retention and fostering diversity and innovation.\n\x0c                                            SOCIAL SECURITY\n\nMEMORANDUM\n\nDate:   September 22, 2006                                                                        Refer To:\n\nTo:     The Commissioner\n\nFrom:   Inspector General\n\nSubject: Fiscal Year 2006 Evaluation of the Social Security Administration\xe2\x80\x99s Compliance with the\n        Federal Information Security Management Act (A-14-06-16084)\n\n\n        OBJECTIVE\n\n        Our objective was to determine if the Social Security Administration\xe2\x80\x99s (SSA) overall\n        security program and practices complied with the requirements of the Federal\n        Information Security Management Act of 2002 (FISMA) for Fiscal Year (FY) 2006. 1\n\n        BACKGROUND\n\n        FISMA provides the framework for securing the Federal Government\xe2\x80\x99s information\n        technology. All agencies must implement the requirements of FISMA and report\n        annually to the Office of Management and Budget (OMB) and Congress on the\n        effectiveness of their security programs.\n\n        OMB uses information reported pursuant to FISMA to evaluate agency-specific and\n        government-wide security performance, develop the annual security report to Congress,\n        and assist in improving and maintaining adequate agency security performance. OMB\n        issued FY 2006 FISMA guidance on July 17, 2006. 2 This guidance references and\n        incorporates the requirements of OMB Memoranda M-06-15 3 and M-06-19. 4 For\n        additional information, see Appendix C.\n\n\n\n\n        1\n            Public Law 107-347, Title III, Section 301.\n        2\n            OMB Memorandum M-06-20, FY 2006 Reporting Instructions for the Federal Information Security\n            Management Act and Agency Privacy Management, July 17, 2006.\n        3\n            OMB Memorandum M-06-15, Safeguarding Personally Identifiable Information, May 22, 2006.\n        4\n            OMB Memorandum M-06-19, Reporting Incidents Involving Personally Identifiable Information and\n            Incorporating the Cost for Security in Agency Information Technology Investments, July 12, 2006.\n\x0cPage 2 \xe2\x80\x93 The Commissioner\n\n\nSCOPE AND METHODOLOGY\nFISMA directs each agency\xe2\x80\x99s Office of Inspector General (OIG) to perform an annual,\nindependent evaluation of the effectiveness of the agency\xe2\x80\x99s information security\nprogram and practices. 5 SSA\xe2\x80\x99s OIG contracted with PricewaterhouseCoopers, LLP\n(PwC) to audit SSA\xe2\x80\x99s FY 2006 financial statements. 6 Because of the extensive internal\ncontrol system review work that is completed as part of that audit, the OIG FISMA\nrequirements were incorporated into the PwC financial statement audit contract. This\nevaluation included reviews of SSA\xe2\x80\x99s mission critical sensitive systems as described in\nthe Government Accountability Office\xe2\x80\x99s Federal Information System Controls Audit\nManual (FISCAM). PwC performed an \xe2\x80\x9cagreed-upon procedures\xe2\x80\x9d engagement using\nFISMA, OMB, the National Institute of Standards and Technology (NIST) guidance,\nFISCAM, and other relevant security laws and regulations as a framework to complete\nthe required OIG review of SSA\xe2\x80\x99s information security program and its sensitive\nsystems. 7 See Appendix D for more details on our Scope and Methodology.\n\nSUMMARY OF RESULTS\n\nDuring our FY 2006 evaluation, we determined that SSA generally met the FISMA\nrequirements. SSA continues to work towards maintaining a secure environment for its\ninformation and systems and has made improvements over the past year to further\nstrengthen its compliance with FISMA. For example, SSA continues to have sound\nremediation, certification and accreditation, and inventory processes. In FY 2006, SSA\ncompleted an inventory of all systems and subsystems. The SSA systems inventory\nconsisted of 20 major systems as well as over 300 subsystems. Our review found that\nthe FY 2006 inventory is accurate and complete.\n\nSSA also maintained Certifications and Accreditations (C&A) for all 20 major systems\nand conducted recertifications of 7 major systems using the NIST Special Publication\n800-37 guidance. 8 We reviewed all 20 C&As for the major systems and they were\nsubstantially compliant with NIST 800-37. See Appendix E for the complete list of major\nsystems that were certified and accredited in FY 2006.\n\n\n\n\n5\n    Public Law 107-347, Title III, Section 301, 44 U.S.C. \xc2\xa7 3545 (b)(1).\n6\n    OIG Contract Number GS-23F-0165N, dated March 16, 2001. FY 2006 option was exercised on\n    November 10, 2005.\n7\n    OMB Memorandum M-06-20, FY 2006 Reporting Instructions for the Federal Information Security\n    Management Act and Agency Privacy Management, July 17, 2006 and NIST Special Publication 800-26,\n    Security Self-Assessment Guide for Information Technology Systems, November 2001.\n8\n    NIST Special Publications 800-37, Guide for the Security Certification and Accreditation of Federal\n    Information Systems, May 2004.\n\x0cPage 3 \xe2\x80\x93 The Commissioner\n\n\nWe noted several areas that SSA needs to address to fully meet FISMA requirements\nwhile enhancing information management in this area. Nothing came to our attention to\nindicate that these issues would cause SSA to be non-compliant with FISMA. SSA\nshould ensure that:\n\n\xe2\x80\xa2     system access controls are adequately reviewed using a risk-based approach on a\n      consistent basis across the Agency;\n\n\xe2\x80\xa2     all Information Technology (IT) security weaknesses that are identified are reported\n      to the Office of the Chief Information Officer (OCIO) and are subject for inclusion in\n      Automated Security Self-Evaluation and Remediation Tracking (ASSERT);\n\n\xe2\x80\xa2     complete, current and accurate information systems security policies and\n      procedures are maintained and are accessible to appropriate employees;\n\n\xe2\x80\xa2     all agency and contractor personnel with significant IT security responsibilities are\n      identified and receive annual security awareness training; and\n\n\xe2\x80\xa2     the Continuity of Operations Plan (COOP) and Disaster Recovery Exercise (DRE)\n      are updated and tested appropriately.\n\nBased on the OMB FISMA guidance, 9 the SSA is supposed to provide additional\ninformation on its response to OMB M-06-15 and M-06-19. OMB memorandum\nM-06-15 re-emphasizes the protection of Personally Identifiable Information and\nrequires that the agency Senior Official for Privacy conduct a review. The SSA Senior\nOfficial for Privacy conducted the required review and issued a report. Also, OMB\nMemorandum M-06-19 requires agencies to report all incidents involving Personally\nIdentifiable Information to the United States Computer Emergency Readiness Team\n(US-CERT) within 1 hour of discovery. Based on our discussions with the Agency, SSA\nis currently redefining its interpretation of what an incident is to ensure full compliance\nwith OMB M-06-19. Subsequent to the issuance of M-06-19, SSA has reported several\nincidents to\nUS-CERT.\n\nWhile the OIGs do not have reporting requirements in these areas, we did review the\nSSA Senior Official for Privacy\xe2\x80\x99s report and nothing came to our attention that led us to\nbelieve that there were any significant omissions from this process. Further, since the\nAgency is still drafting its response to OMB M-06-19, we were unable to complete any\nwork in this area.\n\n\n\n\n9\n    OMB M-06-20, supra at cover page.\n\x0cPage 4 \xe2\x80\x93 The Commissioner\n\n\nENSURE SYSTEM ACCESS CONTROLS ARE ADEQUATELY REVIEWED\n\nNIST Special Publication 800-53a 10 requires that agencies have formal documented\naccess control policies and procedures that are reviewed and updated on a regular\nbasis. These reviews should be risk-based and consistently applied across the\nAgencies. SSA has established a control that grants access to IT resources based on a\nuser profile. 11 A user profile is created based on each individual job\xe2\x80\x99s responsibilities.\nSSA completed a review of user profiles across the Agency during the reporting period.\nHowever, we found SSA did not have clear policies and procedures on how the review\nshould be conducted. As a result, instances of excessive access were not identified\nand corrected by the Agency and users continued to have excessive access. SSA\nshould ensure that user profiles only provide access to systems resources necessary to\nmeet user job requirements. SSA needs to strengthen its access control processes to\nensure that the user profiles are adequately reviewed and tested.\n\nENSURE THAT ALL IDENTIFIED IT SECURITY WEAKNESSES ARE INCLUDED IN\nTHE AGENCY\xe2\x80\x99S REMEDIATION PROCESS\n\nOMB FISMA guidance states that all IT system security weaknesses be reported and\ntracked through remediation in one central location. 12 The OCIO was designated by\nSSA as the responsible component. The SSA OCIO, using the software tool ASSERT,\nestablished a system to monitor and report on IT security weaknesses. ASSERT is also\nused to support the Plan of Action & Milestones (POA&M) process that tracks identified\nIT security weaknesses through remediation.\n\nWhile we found that the SSA OCIO ASSERT tool was working effectively, we also\nlearned that the OCIO did not receive all reports on IT security weaknesses. We\nidentified reviews that were conducted by an SSA contractor during the current\nreporting cycle that focused on assets that are critical to the SSA IT infrastructure.\nThese reviews identified multiple IT security weaknesses that need to be recognized,\nincluded and addressed as part of the ASSERT process.\n\nThe Agency is in the process of developing policies and procedures to ensure that all IT\nsecurity weaknesses are appropriately included in the tracking and remediation\nprocess. The Agency needs to ensure that these policies and procedures are adhered\nto and fully implemented.\n\n\n\n\n10\n     NIST Special Publications 800-53a, Guide for Assessing the Security Controls in Federal Information\n     Systems, April 2006, page 42.\n11\n     User profiles provide a means to classify groups of individuals who share common access needs for\n     similar job requirements. Top Secret security software controls the user profiles, as well as monitors\n     who can access and change critical data requirements.\n12\n     OMB M-06-20, supra at page 7.\n\x0cPage 5 \xe2\x80\x93 The Commissioner\n\n\nINFORMATION SYSTEMS SECURITY POLICIES AND PROCEDURES NEED TO BE\nCURRENT, COMPLETE, AND AVAILABLE TO AGENCY PERSONNEL\n\nAdequate security policies and procedures that are used throughout the Agency are\nessential to ensure an effective management oversight process as well as a sound\nsecurity framework required by FISMA. SSA\xe2\x80\x99s information systems security policy and\nprocedures are driven by the Information Systems Security Handbook (ISSH). The\nISSH is accessible on the Agency\xe2\x80\x99s Intranet site. During the current reporting period,\nthe Agency was in the process of revising the ISSH and related procedures. At the\ncompletion of our fieldwork, the ISSH and related procedures had not been completely\nrevised and updated. The Agency must ensure that a complete, accurate, and current\nversion of Agency security policies and procedures are available to appropriate\npersonnel.\n\nALL SSA EMPLOYEES AND CONTRACTOR PERSONNEL WHO HAVE\nSIGNIFICANT IT SECURITY RESPONSIBILITIES NEED TO RECEIVE\nAPPROPRIATE TRAINING\n\nAccording to OMB FISMA guidance, agencies are required to ensure that employees\nand contractor personnel with significant IT security responsibilities receive security\nawareness and specialized training. 13 SSA ensures that security awareness training is\nprovided to all employees by requiring them to annually read the Sanctions for\nUnauthorized Systems Access Violations and sign that they have read and understand\nthis document. 14 Contractor personal are provided security awareness training by their\nemployer. According to SSA, Agency employees and contractor personnel with\nspecialized security responsibilities are to be provided additional security training.\n\nAt this time, SSA has not adopted a policy that clearly defines employees who have\n\xe2\x80\x9csignificant IT security responsibilities.\xe2\x80\x9d SSA\xe2\x80\x99s current practice is that each component\nmakes its own interpretation of what constitutes employees who have \xe2\x80\x9csignificant IT\nsecurity responsibilities.\xe2\x80\x9d Based on what the components have determined for the\ncurrent reporting period, SSA has identified 442 employees with significant IT security\nresponsibilities, of which, 92 percent have completed the required training. Additionally,\nby not having an Agency-wide policy, it is possible for two employees with the same job\nresponsibilities to be classified differently. Therefore, one individual may receive the\nappropriate training and the other may not.\n\nIndustry and other Federal Government Agencies have a more stringent interpretation\nof OMB guidance. They have identified many more individuals as meeting the definition\nof what constitutes an individual with \xe2\x80\x9csignificant IT security responsibilities.\xe2\x80\x9d\n\n\n\n\n13\n     OMB M-06-20, supra at page 35.\n14\n     http://eis.ba.ssa.gov/olmer/Links/sanctions/Instructions.htm as of September 15, 2006.\n\x0cPage 6 \xe2\x80\x93 The Commissioner\n\n\nParticularly in light of the additional focus on the security of Personally Identifiable\nInformation, SSA should consider redefining its definition of individuals with \xe2\x80\x9csignificant\nIT security responsibilities\xe2\x80\x9d to ensure appropriate security training coverage.\n\nSSA CONTINUITY OF OPERATIONS TESTING\n\nFISMA codifies a longstanding policy requirement that each agency\xe2\x80\x99s security program\nand security plan include provisions in its COOP for information systems that support\nthe operations and assets of the agency. 15 SSA needs to make certain that both the\nCOOP and DRE are updated annually to ensure that the Agency can adequately\nfunction in the event of an emergency or disaster. The Agency Intranet and Internet are\nan integral part of Agency operations, and are currently not included in the COOP or\nDRE. Agency components have an expectation that these services will be quickly\nrecovered in the event of an interruption or disaster. DRE testing of all critical\napplications would provide assurance as to the Agency\xe2\x80\x99s ability to recover. The Agency\nshould include applications, such as Internet, Intranet, email and other important\nsystems in the COOP and DRE. Also, the Agency should ensure that the COOP and\nDRE are updated and tested at least annually. 16\n\nCONCLUSIONS AND RECOMMENDATIONS\nDuring our FY 2006 FISMA evaluation, we determined that SSA generally met the\nrequirements of FISMA. SSA worked cooperatively with the OIG to identify ways to\ncomply with FISMA. SSA developed and implemented a wide range of security policies,\nplans, and practices to safeguard its systems, operations, and assets. To fully comply\nand ensure future compliance with FISMA and other information security related laws\nand regulations, we recommend SSA ensure:\n\n1. system access controls are adequately reviewed using a risk-based approach on a\n   consistent basis across the Agency;\n\n2. all IT security weaknesses identified are reported to the OCIO and, where\n   appropriate included in ASSERT;\n\n\n\n\n15\n     Public Law 107-347, Title III, Section 301, 44 U.S.C \xc2\xa7 3544(b)(8).\n16\n     Federal Emergency Management Agency Federal Preparedness Circular 65, Federal Executive Branch\n     Continuity of Operations, June 15, 2004.\n\x0cPage 7 \xe2\x80\x93 The Commissioner\n\n\n3. complete, accurate and current information systems security policies and\n   procedures are maintained and accessible to appropriate employees;\n\n4. it has developed an appropriate definition of employees and contractors with\n   \xe2\x80\x9csignificant IT security responsibilities,\xe2\x80\x9d and using that definition, has identified and\n   ensured that all such individuals received the necessary security training; and\n\n5. the COOP and DRE include all essential applications and are updated and tested\n   appropriately.\n\n\n                                                   S\n                                                   Patrick P. O\xe2\x80\x99Carroll, Jr.\n\x0c                                      Appendices\nAPPENDIX A \xe2\x80\x93 Acronyms\n\nAPPENDIX B \xe2\x80\x93 Office of the Inspector General\xe2\x80\x99s Completion of OMB Questions\n             Concerning Social Security Administration\xe2\x80\x99s Compliance with the\n             Federal Information Security Management Act\n\nAPPENDIX C \xe2\x80\x93 Background and Current Security Status\n\nAPPENDIX D \xe2\x80\x93 Scope and Methodology\n\nAPPENDIX E \xe2\x80\x93 Systems Certified and Accredited in Fiscal Year 2006\n\nAPPENDIX F \xe2\x80\x93 OIG Contacts and Staff Acknowledgments\n\x0c                                                       Appendix A\n\nAcronyms\nASSERT     Automated Security Self-Evaluation and Remediation Tracking\nC&A        Certification and Accreditation\nCOOP       Continuity of Operations Plan\nDRE        Disaster Recovery Exercise\nFIPS       Federal Information Processing Standards\nFISMA      Federal Information Security Management Act\nFISCAM     Federal Information System Controls Audit Manual\nFY         Fiscal Year\nIT         Information Technology\nISSH       Information Systems Security Handbook\nNIST       National Institute of Standards and Technology\nOCIO       Office of the Chief Information Officer\nOIG        Office of the Inspector General\nOMB        Office of Management and Budget\nPMA        President\xe2\x80\x99s Management Agenda\nPOA&M      Plan of Action and Milestones\nPwC        PricewaterhouseCoopers LLP\nSSA        Social Security Administration\nUS-CERT    United States Computer Emergency Readiness Team\n\x0c                                                                                  Appendix B\n\nOffice of the Inspector General\xe2\x80\x99s Completion of OMB\nQuestions Concerning Social Security\nAdministration\xe2\x80\x99s Compliance with the Federal\nInformation Security Management Act\n                                       Section C: Inspector General\n\n                              Agency Name: Social Security Administration\n                                                 Question 1\n\n1. As required in FISMA, the IG shall evaluate a representative subset of systems, including\ninformation systems used or operated by an agency or by a contractor of an agency or other\norganization on behalf of an agency. By FIPS 199 risk impact level (high, moderate, low, or not\ncategorized) and by bureau, identify the number of systems reviewed in this evaluation for each\nclassification below (a., b., and c.).\n\nTo meet the requirement for conducting a NIST Special Publication 800-26 review, agencies can:\n1) Continue to use NIST Special Publication 800-26, or,\n2) Conduct a self-assessment against the controls found in NIST Special Publication 800-53.\nAgencies are responsible for ensuring the security of information systems used by a contractor of their agency\nor other organization on behalf of their agency, therefore, self reporting by contractors does not meet the\nrequirements of law. Self reporting by another Federal agency, for example, a Federal service provider, may\nbe sufficient. Agencies and service providers have a shared responsibility for FISMA compliance.\n                                             a.                       b.                        c.\n                                       FY 06 Agency            FY 06 Contractor       FY 06 Total Number of\n                                         Systems                   Systems                   Systems\n                    FIPS 199\n                   Risk Impact      Total       Number         Total     Number        Total        Number\nBureau Name           Level        Number      Reviewed       Number    Reviewed      Number       Reviewed\n                   High                   0              0          0             0          0              0\nSocial Security\n                   Moderate               8              8          0             0          8              8\nAdministration\n                   Low                   12             12          0             0         12             12\n                   Not\n                   Categorized            0              0          0             0          0              0\n                   Sub-total             20             20          0             0         20             20\nAgency Totals      High                   0               0         0             0           0               0\n                   Moderate               8               8         0             0           8               8\n                   Low                   12             12          0             0         12             12\n                   Not\n                   Categorized            0               0         0             0           0               0\n                   Total                 20             20          0             0         20             20\n\n\n\n\n                                                  B-1\n\x0c2. For each part of this question, identify actual performance in FY 06 by risk impact level and bureau,\nin the format provided below. From the representative subset of systems evaluated, identify the\nnumber of systems which have completed the following: have a current certification and accreditation,\na contingency plan tested within the past year, and security controls tested within the past year.\n\n                                              Question 2\n\n                                        a.                        b.                      c.\n                                    Number of           Number of systems       Number of systems for\n                                 systems certified       for which security    which contingency plans\n                                  and accredited        controls have been        have been tested in\n                                                       tested and evaluated     accordance with policy\n                                                           in the last year         and guidance\n\n\n                   FIPS 199\n                  Risk Impact     Total     Percent     Total     Percent of     Total       Percent of\nBureau Name          Level       Number     of Total   Number       Total       Number         Total\n                  High                  0      0.0%           0        0.0%              0         0.0%\nSocial Security   Moderate              8   100.0%            8      100.0%              8       100.0%\nAdministration\n                  Low                 12    100.0%           12      100.0%           12         100.0%\n                  Not\n                  Categorized           0      0.0%           0        0.0%              0         0.0%\n                  Sub-total           20    100.0%           20      100.0%           20         100.0%\nAgency Totals     High                  0      0.0%           0        0.0%              0         0.0%\n                  Moderate              8   100.0%            8      100.0%              8       100.0%\n                  Low                 12    100.0%           12      100.0%           12         100.0%\n                  Not\n                  Categorized           0      0.0%           0        0.0%              0         0.0%\n                  Total               20    100.0%           20      100.0%           20         100.0%\n\n\n\n\n                                               B-2\n\x0c                                                 Question 3\n\nIn the format below, evaluate the agency\xe2\x80\x99s oversight of contractor systems, and agency system inventory.\n\n          The agency performs oversight and evaluation to ensure information\n          systems used or operated by a contractor of the agency or other\n          organization on behalf of the agency meet the requirements of FISMA,\n          OMB policy and NIST guidelines, national security policy, and agency\n          policy. Self-reporting of NIST Special Publication 800-26 and / or 800-53\n          requirements by a contractor or other organization is not sufficient,\n                                                                                      Almost Always, for\n          however, self-reporting by another Federal agency may be sufficient.\n 3.a.                                                                                 example, approximately\n                                                                                      96-100% of the time\n          Response Categories:\n               - Rarely, for example, approximately 0-50% of the time\n               - Sometimes, for example, approximately 51-70% of the time\n               - Frequently, for example, approximately 71-80% of the time\n               - Mostly, for example, approximately 81-95% of the time\n               - Almost Always, for example, approximately 96-100% of the time\n\n          The agency has developed an inventory of major information systems\n          (including major national security systems) operated by or under the\n          control of such agency, including an identification of the interfaces\n          between each such system and all other systems or networks, including\n          those not operated by or under the control of the agency.\n                                                                                      Approximately 96-\n 3.b.1\n          Response Categories:                                                        100% complete\n               - Approximately 0-50% complete\n               - Approximately 51-70% complete\n               - Approximately 71-80% complete\n               - Approximately 81-95% complete\n               - Approximately 96-100% complete\n\n          If the Agency IG does not evaluate the Agency\xe2\x80\x99s inventory as 96-100%\n          complete, please list the systems that are missing from the inventory.\n 3.b.2                                                                                None missing\n          Missing Agency Systems\n          Missing Contractor Systems\n\n          The OIG generally agrees with the CIO on the number of agency owned\n 3.c.                                                                                           Yes\n          systems.\n\n\n          The OIG generally agrees with the CIO on the number of information\n 3.d.     systems used or operated by a contractor of the agency or other                       Yes\n          organization on behalf of the agency.\n\n\n 3.e.     The agency inventory is maintained and updated at least annually.                     Yes\n\n\n  3.f.    The agency has completed system e-authentication risk assessments.                    Yes\n\n\n\n\n                                                 B-3\n\x0c                                                  Question 4\n\n\nThrough this question, and in the format provided below, assess whether the agency has developed,\nimplemented, and is managing an agency wide plan of action and milestone (POA&M) process. Evaluate the\ndegree to which the following statements reflect the status in your agency by choosing from the responses\nprovided in the drop down menu. If appropriate or necessary, include comments in the area provided below.\n\nFor items 4a.-4.f, the response categories are as follows:\n\n      -   Rarely, for example, approximately 0-50% of the time\n      -   Sometimes, for example, approximately 51-70% of the time\n      -   Frequently, for example, approximately 71-80% of the time\n      -   Mostly, for example, approximately 81-95% of the time\n      -   Almost Always, for example, approximately 96-100% of the time\n\n\n                      The POA&M is an agency wide process,\n                      incorporating all known IT security\n                      weaknesses associated with information      - Mostly, for example, approximately 81-\n          4.a.\n                      systems used or operated by the agency      95% of the time\n                      or by a contractor of the agency or other\n                      organization on behalf of the agency.\n\n                      When an IT security weakness is\n                      identified, program officials (including\n                                                                  - Almost Always, for example,\n          4.b.        CIOs, if they own or operate a system)\n                                                                  approximately 96-100% of the time\n                      develop, implement, and manage\n                      POA&Ms for their system(s).\n\n                      Program officials, including contractors,\n                      report to the CIO on a regular basis (at    - Mostly, for example, approximately 81-\n          4.c.\n                      least quarterly) on their remediation       95% of the time\n                      progress.\n\n                      CIO centrally tracks, maintains, and\n                                                                  - Almost Always, for example,\n          4.d.        reviews POA&M activities on at least a\n                                                                  approximately 96-100% of the time\n                      quarterly basis.\n\n                   OIG findings are incorporated into the     - Almost Always, for example,\n          4.e.\n                   POA&M process.                             approximately 96-100% of the time\n                   POA&M process prioritizes IT security\n                   weaknesses to help ensure significant IT\n                                                              - Almost Always, for example,\n      4.f.         security weaknesses are addressed in a\n                                                              approximately 96-100% of the time\n                   timely manner and receive appropriate\n                   resources\nComments: 4a & 4c. We have concerns as to whether the OCIO is receiving all IT security\nweaknesses identified by internal reports on a regular basis.\n\n\n\n\n                                                   B-4\n\x0c                                                   Question 5\n\n\nOIG Assessment of the Certification and Accreditation Process. OMB is requesting IGs to provide a\nqualitative assessment of the agency\xe2\x80\x99s certification and accreditation process, including adherence to existing\npolicy, guidance, and standards. Agencies shall follow NIST Special Publication 800-37, \xe2\x80\x9cGuide for the\nSecurity Certification and Accreditation of Federal Information Systems\xe2\x80\x9d (May, 2004) for certification and\naccreditation work initiated after May, 2004. This includes use of the FIPS 199 (February, 2004), \xe2\x80\x9cStandards\nfor Security Categorization of Federal Information and Information Systems,\xe2\x80\x9d to determine an impact level, as\nwell as associated NIST documents used as guidance for completing risk assessments and security plans .\n\n\n\n               Assess the overall quality of the\n               Department's certification and\n               accreditation process.\n\n               Response Categories:\n                                                         - Excellent\n                    - Excellent\n                    - Good\n                    - Satisfactory\n                    - Poor\n                    - Failing\n\n\nComments:\n\n\n\n\n                                                   Question 6\n\n       Is there an agency wide security configuration policy?\n  6.a. Yes or No.\n                                                                                              Yes\nComments:\n\n\n\n\n                                                   B-5\n\x0c          Configuration guides are available for the products listed below. With a checkmark,\n          identify which software is addressed in the agency wide security configuration policy.\n 6.b.     Indicate whether or not any agency systems run the software. In addition, approximate\n          the extent of implementation of the security configuration policy on the systems running\n          the software.\n                                                      Approximate the extent of implementation of\n                                                      the security configuration policy on the\n                                                      systems running the software.\n\n                                                      Response choices include:\n                                                      - Rarely, or, on approximately 0-50% of the\n                                           Do any       systems running this software\n        Product                                       - Sometimes, or on approximately 51-70% of\n                        Addressed in      agency\n                                                        the systems running this software\n                        agency wide       systems\n                                                      - Frequently, or on approximately 71-80% of\n                          policy?         run this      the systems running this software\n                                         software?    - Mostly, or on approximately 81-95% of the\n                                                        systems running this software\n                          Yes, No,                    - Almost Always, or on approximately 96-\n                           or N/A.       Yes or No.   100% of the systems running this software\nWindows XP                                            Almost Always, or on approximately 96-100% of\n                             Yes             Yes\nProfessional                                          the systems running this software\n                                                      Almost Always, or on approximately 96-100% of\nWindows NT                   Yes             Yes\n                                                      the systems running this software\nWindows 2000                                          Almost Always, or on approximately 96-100% of\n                             Yes             Yes\nProfessional                                          the systems running this software\nWindows 2000                                          Almost Always, or on approximately 96-100% of\n                             Yes             Yes\nServer                                                the systems running this software\nWindows 2003                                          Almost Always, or on approximately 96-100% of\n                             Yes             Yes\nServer                                                the systems running this software\n                                                      Almost Always, or on approximately 96-100% of\nSolaris                      Yes             Yes\n                                                      the systems running this software\n                                                      Almost Always, or on approximately 96-100% of\nHP-UX                        Yes             Yes\n                                                      the systems running this software\n                                                      Rarely, or, on approximately 0-50% of the\nLinux                        N/A             No\n                                                       systems running this software\n                                                      Almost Always, or on approximately 96-100% of\nCisco Router IOS             Yes             Yes\n                                                      the systems running this software\n                                                      Almost Always, or on approximately 96-100% of\nOracle                       Yes             Yes\n                                                      the systems running this software\nOther: IBM AS/400                                Almost Always, or on approximately 96-100% of\n                             Yes             Yes\n(AIX), IBM zOS                                   the systems running this software\nComments: According to SSA, Linux has been removed from all SSA computers connected to the\nnetwork as of March 29, 2006.\n\n\n\n\n                                             B-6\n\x0c                                               Question 7\n\nIndicate whether or not the following policies and procedures are in place at your agency. If\nappropriate or necessary, include comments in the area provided below.\n\n         The agency follows documented policies and procedures\n 7.a.    for identifying and reporting incidents internally.                               Yes\n         Yes or No.\n\n         The agency follows documented policies and procedures\n 7.b.    for external reporting to law enforcement authorities.                            Yes\n         Yes or No.\n         The agency follows defined procedures for reporting to the\n         United States Computer Emergency Readiness Team\n 7.c.                                                                                      Yes\n         (US-CERT). http://www.us-cert.gov\n         Yes or No.\nComments: 7.c- We still have not received information on how SSA plans to respond to OMB M-06-19.\n\n\n\n\n                                               Question 8\n\n         Has the agency ensured security training and awareness of all\n         employees, including contractors and those employees with\n         significant IT security responsibilities?\n                                                                                       - Mostly, or\n         Response Choices include:                                                     approximately 81-\n  8      - Rarely, or, approximately 0-50% of employees have sufficient training       95% of employees\n         - Sometimes, or approximately 51-70% of employees have sufficient training    have sufficient\n         - Frequently, or approximately 71-80% of employees have sufficient training   training\n         - Mostly, or approximately 81-95% of employees have sufficient training\n         - Almost Always, or approximately 96-100% of employees have sufficient\n         training\n\nComments: We have concerns because the number of individuals with significant IT security\nresponsibilities went from approximately 900 reported last year to 452 reported this year. It appears\nthat all of the individuals with significant IT security responsibilities may not have been included in the\ndocumentation we received. We are also concerned that we were only provided information on\nsecurity awareness and training for NCC based contractors.\n                                               Question 9\n\n         Does the agency explain policies regarding peer-to-peer file\n         sharing in IT security awareness training, ethics training, or any\n  9                                                                                            Yes\n         other agency wide training?\n         Yes or No.\n\n\n\n                                                B-7\n\x0c                                                                       Appendix C\n\nBackground and Current Security Status\nThe Federal Information Security Management Act (FISMA) requires agencies to create\nprotective environments for their information systems. It does so by creating a\nframework for annual Information Technology (IT) security reviews, vulnerability\nreporting, and remediation planning, implementation, evaluation, and documentation. 1\nIn fiscal year 2005, SSA resolved the long standing internal controls reportable\ncondition concerning its protection of information. 2 SSA continues to work with the\nOffice of the Inspector General and PricewaterhouseCoopers LLP to further improve\nsecurity over the protection of information and resolve other issues observed during\nprior FISMA reviews.\n\nOMB Memorandum M-06-15 3 reemphasizes existing requirements under the Privacy Act, 4\nincluding the establishment of employee rules of conduct, administrative, technical, and\nphysical safeguards for the protection of Personally Identifiable Information. M-06-15 also\nrequires that the agency\xe2\x80\x99s designated Senior Official for Privacy conduct a review of\npolicies and processes, and take corrective action as appropriate to ensure that the\nagencies have adequate safeguards to prevent the intentional or negligent misuse of, or\nunauthorized access to, Personally Identifiable Information. 5 This review is required to\naddress all administrative, technical, and physical means used by SSA to control such\ninformation, including but not limited to procedures and restrictions on the use or removal of\nPersonally Identifiable Information beyond Agency premises or control. 6 This review is also\nrequired to be completed by SSA in time for inclusion in the annual FISMA report. In\naddition, any weaknesses identified in Agency security plans of action and milestones are\nrequired to be reported. Also, employees are to be reminded within 30 days of the\nissuance of M-06-15 of their specific responsibilities for safeguarding Personally Identifiable\nInformation, the rules for acquiring and using such information as well as the penalties for\nviolating these rules.\n\n\n\n\n1\n    Public Law 107-347, Title III, Section 301, 44 U.S.C \xc2\xa7 3544.\n2\n    SSA\xe2\x80\x99s FY 2005 Performance and Accountability Report, page 163.\n3\n    OMB M-06-15, supra at page 1.\n4\n    5 U.S.C. \xc2\xa7 552a(e)(9)-(10).\n5\n    OMB M-06-15, supra.\n6\n    OMB M-06-15, supra at page 1-2.\n\n\n\n                                                     C-1\n\x0cOMB Memorandum M-06-19 7 provides updated guidance in two areas. The first area\naddresses the reporting of security incidents involving Personally Identifiable\nInformation. The new reporting procedures now require agencies to report all incidents\ninvolving Personally Identifiable Information to US-CERT within 1 hour of discovery\neither in electronic or physical form and agencies are not to distinguish between\nsuspected and confirmed breaches. The second area addressed by M-06-19 reminds\ndepartments and agencies that security and privacy requirements should be included in\nfiscal year budget submissions for IT. Additional detail is also requested on how\nresources will be allocated in correcting existing security weaknesses.\n\n\n\n\n7\n    OMB M-06-19, supra.\n\n\n                                         C-2\n\x0c                                                                                         Appendix D\n\nScope and Methodology\nThe Federal Information Security Management Act (FISMA) directs each agency\xe2\x80\x99s\nOffice of Inspector General (OIG) to perform, or have an independent external auditor\nperform, an annual independent evaluation of the agency\xe2\x80\x99s information security program\nand practices, as well as a review of an appropriate subset of agency systems. 1 The\nSocial Security Administration (SSA) OIG contracted with PricewaterhouseCoopers LLP\n(PwC) to audit SSA\xe2\x80\x99s Fiscal Year (FY) 2006 financial statements. Because of the\nextensive internal control system work that is completed as part of that audit, our FISMA\nreview requirements were incorporated into the PwC financial statement audit contract.\nThis evaluation included Federal Information System Controls Audit Manual (FISCAM)\nlevel reviews of SSA\xe2\x80\x99s mission critical sensitive systems. PwC performed an \xe2\x80\x9cagreed-\nupon procedures\xe2\x80\x9d engagement using FISMA, the Office of Management and Budget\n(OMB) Memorandum M-06-20, FY 2006 Reporting Instructions for the Federal\nInformation Security Management Act and Agency Privacy Management, National\nInstitute of Standards and Technology guidance, FISCAM, and other relevant security\nlaws and regulations as a framework to complete the OIG required review of SSA\xe2\x80\x99s\ninformation security program and practices and its sensitive systems.\n\nWe also considered the security implications of OMB Memoranda M-06-15 and\nM-06-19. We reviewed SSA\xe2\x80\x99s Senior Official for Privacy report for 2006, monitored\nUS-CERT reporting activity, and SSA\xe2\x80\x99s response to M-06-19.\n\nThe results of our FISMA evaluation are based on the PwC FY 2006 Independent\nAccountants\xe2\x80\x99 Report on Applying Agreed-Upon Procedures report and working papers,\nand various audits and evaluations performed by this office. We also reviewed the final\ndraft of SSA's FY 2006 Security Program Review as required by the Federal Information\nSecurity Management Act.\n\nOur major focus was an evaluation of SSA\xe2\x80\x99s plan of action and milestones (POA&M),\nrisk models and configuration settings, certifications and accreditations (C&A), and\nsystems inventory processes. Our evaluation of SSA\xe2\x80\x99s POA&Ms included an analysis\nof Automated Security Self-Evaluation and Remediation Tracking system and its\npolicies. Our review of the Agency\xe2\x80\x99s C&A process included an analysis of all 20 C&As\nfor each major system. We also reviewed SSA\xe2\x80\x99s updated systems inventory and the\npolicy for the update processes.\n\nWe performed field work at SSA facilities nationwide from March to September 2006.\nOur evaluation was performed in accordance with generally accepted government\nauditing standards.\n\n\n\n\n1\n    Public Law 107-347, Title III, section 301, 44 U.S.C \xc2\xa7 3545 (a)(1), (a)(2), and (b)(1).\n\x0c                                                                      Appendix E\n\nSystems Certified and Accredited in Fiscal Year 2006\n#                            System                                    Acronym\n               General Support Systems\n1   Audit Trail System                                        ATS\n2   Comprehensive Integrity Review Process                    CIRP\n\n3   Death Alert Control & Update System                       DACUS\n\n4   Debt Management System                                    DMS\n\n5   Disability Case Adjudication and Review System            DICARS\n\n6   Disability Control File System                            DCFS\n\n7   Enterprise Wide Area Network and Services System          EWANSS\n8   FALCON Data Entry System                                  FALCON\n\n9   Human Resources Management Information System             HRMIS\n\n10 Integrated Client Database                                 ICDB\n\n11 Logiplex Security Access Systems                           LSAS\n\n12 Recovery of Overpayments, Accounting, & Reporting System   ROAR\n\n13 Social Security Online Accounting and Reporting System     SSOARS\n14 Social Security Unified Measurement Systems                SUMS\n\n\n                      Major Applications\n1   Electronic Disability System                              eDib\n2   Earnings Record Maintenance System                        ERMS\n3   Retirement, Survivors & Disability Insurance System \xe2\x80\x93     RSDI \xe2\x80\x93 Accounting\n    Accounting\n4   SSN Establishment & Correction System                     SSNECS\n5   Supplemental Security Income Records Maintenance System   SSIRMS\n\n6   Title II System\n\x0c                                                                        Appendix F\n\nOIG Contacts and Staff Acknowledgments\nOIG Contacts\n\n   Kitt Winter, Director, Data Analysis and Technology Audit Division\n   (410) 965-9702\n\n   Phil Rogofsky, Audit Manager, Network Security and Telecommunications Branch\n   (410) 965-9719\n\nAcknowledgments\n\nIn addition to the persons named above:\n\n   Harold Hunter, Senior Auditor\n\n   Annette DeRito, Writer/Editor\n\nFor additional copies of this report, please visit our web site at\nwww.socialsecurity.gov/oig or contact the Office of the Inspector General\xe2\x80\x99s Public\nAffairs Specialist at (410) 965-3218. Refer to Common Identification Number\nA-14-06-16084.\n\x0c                           DISTRIBUTION SCHEDULE\n\nCommissioner of Social Security\nOffice of Management and Budget\nChairman and Ranking Member, Committee on Ways and Means\nChief of Staff, Committee on Ways and Means\nChairman and Ranking Minority Member, Subcommittee on Social Security\nMajority and Minority Staff Director, Subcommittee on Social Security\nChairman and Ranking Minority Member, Subcommittee on Human Resources\nChairman and Ranking Minority Member, Committee on Budget, House of\nRepresentatives\nChairman and Ranking Minority Member, Committee on Government Reform, House of\nRepresentatives\nChairman and Ranking Minority Member, Committee on Science, House of\nRepresentatives\nChairman and Ranking Minority Member, Committee on Governmental Affairs, U.S.\nSenate\nChairman and Ranking Minority Member, Committee on Commerce, Science and\nTransportation, U.S. Senate\nChairman and Ranking Minority Member, Committee on Appropriations, House of\nRepresentatives\nChairman and Ranking Minority, Subcommittee on Labor, Health and Human Services,\nEducation and Related Agencies, Committee on Appropriations, House of\nRepresentatives\nChairman and Ranking Minority Member, Committee on Appropriations, U.S. Senate\nChairman and Ranking Minority Member, Subcommittee on Labor, Health and Human\nServices, Education and Related Agencies, Committee on Appropriations, U.S. Senate\nChairman and Ranking Minority Member, Committee on Finance\nChairman and Ranking Minority Member, Subcommittee on Social Security and Family\nPolicy\nChairman and Ranking Minority Member, Senate Special Committee on Aging\n\x0c               Overview of the Office of the Inspector General\nThe Office of the Inspector General (OIG) is comprised of our Office of Investigations (OI),\nOffice of Audit (OA), Office of the Chief Counsel to the Inspector General (OCCIG), and Office\nof Resource Management (ORM). To ensure compliance with policies and procedures, internal\ncontrols, and professional standards, we also have a comprehensive Professional Responsibility\nand Quality Assurance program.\n                                        Office of Audit\nOA conducts and/or supervises financial and performance audits of the Social Security\nAdministration\xe2\x80\x99s (SSA) programs and operations and makes recommendations to ensure\nprogram objectives are achieved effectively and efficiently. Financial audits assess whether\nSSA\xe2\x80\x99s financial statements fairly present SSA\xe2\x80\x99s financial position, results of operations, and cash\nflow. Performance audits review the economy, efficiency, and effectiveness of SSA\xe2\x80\x99s programs\nand operations. OA also conducts short-term management and program evaluations and projects\non issues of concern to SSA, Congress, and the general public.\n\n\n                                    Office of Investigations\nOI conducts and coordinates investigative activity related to fraud, waste, abuse, and\nmismanagement in SSA programs and operations. This includes wrongdoing by applicants,\nbeneficiaries, contractors, third parties, or SSA employees performing their official duties. This\noffice serves as OIG liaison to the Department of Justice on all matters relating to the\ninvestigations of SSA programs and personnel. OI also conducts joint investigations with other\nFederal, State, and local law enforcement agencies.\n\n\n                   Office of the Chief Counsel to the Inspector General\nOCCIG provides independent legal advice and counsel to the IG on various matters, including\nstatutes, regulations, legislation, and policy directives. OCCIG also advises the IG on\ninvestigative procedures and techniques, as well as on legal implications and conclusions to be\ndrawn from audit and investigative material. Finally, OCCIG administers the Civil Monetary\nPenalty program.\n                              Office of Resource Management\nORM supports OIG by providing information resource management and systems security. ORM\nalso coordinates OIG\xe2\x80\x99s budget, procurement, telecommunications, facilities, and human\nresources. In addition, ORM is the focal point for OIG\xe2\x80\x99s strategic planning function and the\ndevelopment and implementation of performance measures required by the Government\nPerformance and Results Act of 1993.\n\x0c"